From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: `guix pull` over HTTPS Date: Mon, 06 Mar 2017 11:06:13 +0100 Message-ID: <87mvcywwh6.fsf@gnu.org> References: <20170209155512.GA11291@jasmine> <20170210003054.GA12412@jasmine> <87fujmcb6w.fsf@gnu.org> <87lgte10eu.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87inoh660r.fsf@gnu.org> <874m011xb2.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <871sv44x97.fsf@gnu.org> <20170228054616.GA28504@jasmine> <87shmy1hup.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170228162919.GA10253@jasmine> <87mvd61cxv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87k28a11wt.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <87h93e0z4a.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:34662) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ckpX1-0007Bw-UC for guix-devel@gnu.org; Mon, 06 Mar 2017 05:06:20 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ckpWx-00006d-US for guix-devel@gnu.org; Mon, 06 Mar 2017 05:06:19 -0500 In-Reply-To: <87h93e0z4a.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> (Marius Bakke's message of "Tue, 28 Feb 2017 22:44:21 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Marius Bakke Cc: guix-devel@gnu.org Hi! Marius Bakke skribis: > From 800051909362b5817bbb386029edf14ffd8269a8 Mon Sep 17 00:00:00 2001 > From: Marius Bakke > Date: Tue, 28 Feb 2017 22:34:29 +0100 > Subject: [PATCH] pull: Default to HTTPS. > > * guix/build/download.scm (tls-wrap): Allow #:verify-certificate? to be a > search string for certificates. > * guix/scripts/pull.scm (%snapshot-url): Use HTTPS. > (guix-pull): Verify against the store path of NSS-CERTS. > --- > guix/build/download.scm | 7 +++++-- > guix/scripts/pull.scm | 8 ++++++-- > 2 files changed, 11 insertions(+), 4 deletions(-) > > diff --git a/guix/build/download.scm b/guix/build/download.scm > index 203338b52..88da1776f 100644 > --- a/guix/build/download.scm > +++ b/guix/build/download.scm > @@ -342,13 +342,16 @@ way." >=20=20 > (define* (tls-wrap port server #:key (verify-certificate? #t)) > "Return PORT wrapped in a TLS connection to SERVER. SERVER must be a = DNS > -host name without trailing dot." > +host name without trailing dot. If VERIFY-CERTIFICATE? is a string, it = is > +assumed to be the search path for TLS certificates passed to gnutls." > (define (log level str) > (format (current-error-port) > "gnutls: [~a|~a] ~a" (getpid) level str)) >=20=20 > (let ((session (make-session connection-end/client)) > - (ca-certs (%x509-certificate-directory))) > + (ca-certs (if (string? verify-certificate?) > + verify-certificate? > + (%x509-certificate-directory)))) Nitpick: I would prefer to use a different argument for the certificate directory. Something like this: (define* (tls-wrap port server #:key (verify-certificate? #t) (certificate-directory (%x509-certificate-directory))) =E2=80=A6)=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20 Also the =E2=80=98guix pull=E2=80=99 part should be a separate patch. Great work, thank you! Ludo=E2=80=99.